>>53
I do both actually. A mix of static RCE and debugging yields best results. However, this is only because it's the fastest way of acquiring information (only disassembling can take too long, especially if the code overuses indirection, only debugging can get you to some specific targets, but if there are no obvious things to look into at runtime, it can end up wasting time while being not very productive, however mixing both techniques yields best results - you can gain a large overview of the code using static code analysis and then inform your debugging with the information you gained statically, which will usually yield more information which can then be used to clarify whatever parts were unclear statically - both techniques complement each other, and using either by itself makes you spend a lot more time to achieve your goals).